Remote

Revision 2 as of 2008-05-06 13:15:34

Clear message
  • There should be three ways to enable remote recovery:
    • In the GRUB menu, there should be a "remote recovery" option
    • From the command-line, there should be a "remote-recovery" command
    • From the GUI, there should be System Tools->Remote Recovery

  • Experts should be able to run /usr/sbin/connect-to-remote-recovery to prepare their system for a remote recovery.

Running or connecting to a remote recovery should start by doing the following:

  1. Create a remote-recovery user whose home directory is /.remote-recovery, and who has no useful permissions
  2. Set their home directory to be chmod 500
  3. Create a ~remote-recovery/password file, chmod 400
  4. Give the remote-recovery user a random password, and put the password in ~remote-recovery/password
  5. If the SSH server isn't running, enable it. If it won't enable, try various things:
    • If the package doesn't exist, ask if you can install it
    • If /usr or /usr/bin doesn't exist, check whether they're mentioned
      • in /etc/fstab, and if so, whether they're mentioned in mount, then tell the user what's going on, and offer to print the contents of both.

Then, running remote recovery should:

  1. pop up a warning about how doing this gives complete control of your system to a specified computer, and should only be done at the behest of someone you trust.
  2. Add the remote-recovery user to /etc/sudoers
  3. Ask for the IP address and remote-recovery password of the person you'll allow access to
  4. ssh remote-recovery@$ip_address -L22:localhost:2222 4a. if that fails, do various diagnostics:

    • Does the computer have an IP address? Does it have a gateway?
    • Do a tracepath to that address and print the results
    4b. If it succeeds, copy ".ssh/id_dsa.pub" on the remote host to

~remote-recovery/.ssh/authorized_keys
  • on the local host, then touch

".ssh/id_dsa.pub"

to confirm that the copying is complete

  1. Tell the user whether SSH succeeded or failed.
  2. Inform the user that they can press ctrl-c to quit remote recovery.
  3. Wait until w reports a remote-recovery user logged in.

  4. Read lines of text and write them to the remote-recovery user's tty

  5. When the remote-recovery user logs out, ask whether they want to wait for the user to log in again.
    • 9a. If no, go to 10 9b. else go to 7
  6. Remove the remote-recovery user, remove them from sudoers, and delete their home directory

Alternatively, connecting to a remote recovery should do:

  1. Find the IP address(es) of the computer 1a. If any addresses are public (not e.g. 192.168.*.*), print them

    1b. Otherwise, tell the user to find their public address (e.g. through the settings page of their wireless router), and make sure that connections on port 22 are forwarded to <private IP address> port 22.

  2. touch ~remote-recovery/password
  3. Create a ~/.ssh/id_dsa with no passphrase
  4. Print the contents of ~remote-recovery/password, then print it again, using the NATO phonetic alphabet (so hat it can be spoken over the phone)
  5. Make sure the SSH server is running
  6. Wait until the ctime of ~remote-recovery/password is less than the ctime of ~remote-recovery/.ssh/id_dsa
  7. sudo -u remote-recovery ssh remote-recovery@127.0.0.1 -p 2222

  8. The user now has a shell on the newbie's computer, as user remote-recovery. They can then read the password in ~/password, and sudo whatever they need to sudo.
  9. Remove the remote-recovery user and delete their home directory

See also


CategoryNetworking CategoryRecovery